Splunk Search

refer to first bucket values to compute more data


Hi Folks,
Here's what I have,

index=blah | bucket span=1d _time | chart count(id) over _time by src


_time src1   src2
day1  100    200
day2  110    180
day3  105    100
day4  90     210

Now heres what I am looking for, given a time window produce & variation from start of time period per source. Start of the time period is considered as baseline (0%). I am looking for a way to refer to first bucket value to compute this % values. End result should look like something below.


_time src1   src1%   src2   src2%
day1  100    0%      200    0%
day2  110    10%     180    -10%
day3  105    5%      100    0%
day4  90     -10%    210    5%

Is there a way to use _time as key? If yes how?

Tags (4)
0 Karma


I've re-created your scenario after the chart like this:

| gentimes start=-1 increment=2h | streamstats count as day | fields day | eval value=(random()%200) | appendpipe [stats count as day | eval day=0 | eval value=100] | sort + day

Running that produces a table similar to your first result. Using that, I've built a table similar to your desired second result like this:

... | eventstats first(value) as baseline | eval diff=(value-baseline)/baseline | fieldformat diff = round(diff*100,2)."%" | table day value diff

The end result looks something like this:

day value   diff
 0  100       0.00%
 1   70     -30.00%
 2   47     -53.00%
 3  156      56.00%
 4  181      81.00%
 5  130      30.00%
 6  155      55.00%
 7  192      92.00%
 8  137      37.00%
 9  110      10.00%
10    7     -93.00%
11  100       0.00%
12  133      33.00% 
0 Karma


You can run a search pipeline for multiple fields using the foreach command: http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/foreach

0 Karma


I was able to produce A. as below,

index=blah | bucket span=1h _time | stats count(id) as cnt by _time, src | table _time, src, cnt | xyseries _time src cnt

but having difficulties in creating diff per src. How can I create multiple fields at once?

0 Karma


Martin, thanks for replying. I see your point. Looks like a great approach for single series of data. I am having difficulties applying same on multiple time series data.

As you can see in my above example I have matrix of data for each "src". Hence I am using bucket/span along with chart to produce 1st table.

In order to use your approach,
A. I need to bring data in tabular without using chart and "over" feature.
B. Generate diff per src as final solution.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!